Question

How to Assign NTFS Permissions in W2k3 for Child Folders?

NTFS permission can be a headache @ times and that's exactly what i am going through right now. Here is the situation i am facing: We running windows server 2003 in our domain with a file server where we have a shared folder called All Employees and each user or employee has his own folder inside this All Employees folders. What we want is that every user can gain access to the All Employee??s folder but should not access another user??s folder.

So what i did was to assign List Folder Content permission to the Domain users group for the root folder in this case the All Employees, since all the Domain users are part of the Domain Users Security Group. This worked just fine, but the problem is that the permission i assigned to the parent folder (All Employees) is propagating through to all child folders enabling all users traversing to another user??s folder, even though they cannot open the files but they can see what is in other employees folders. Our aim is to restrict users from accessing a fellow employee??s folder after they gained access to the root folder (All Employees) the respective user should only be able to access his folder. By the way we have over 250 users.

All Answers

child folders

Have you unchecked apply settings to child folders? You can also set the permissions for everyone to read and write so that way a new user is able to create a folder. but you need to make sure the setting goes to that folder and not to child folders.

Reponse To Answer

your best bet maybe to delete the list content for all users this will not allow users to see the folder then you will need to re-add the read for everyone, but there should be an option in the advanced that says apply settings to child folders, you will need to uncheck that. then it should ask to remove the current settings on the child folders of keep them you will want to keep them.

*I don't have access to a server right now so the wording is not exact**I also recommend you test any changes here on out so you don't mess anything else up.

Access-based enumeration

I used acess-based enumeration on five file servers from 2007 and I will reccomend you to read a goot article about this useful feature available on Windows 2003 R2 or windows 2003 with SP1 - http://www.windowsnetworking.com/articles_tutorials/Implementing-Access-Based-Enumeration-Windows-Server-2003.htmlFrom Technet: "Windows Server 2003 Access-based Enumeration makes visible only those files or folders that the user has the rights to access. When Access-based Enumeration is enabled, Windows will not display files or folders that the user does not have the rights to access. This download provides a GUI and a CLI that enables this feature."Download: http://www.microsoft.com/download/en/details.aspx?id=17510"There are a few limitations of ABE:- You need Windows Server 2003 R2 or SP1 in order to be able to use it.- Users who are administrators will be able to see every file and folder in a share even with ABE enabled and even when they have Deny ACE on these items.- ABE does not apply to users who can log on interactively to the server, regardless of whether they are administrators or not. This means ABE isn't really suitable for Terminal Services environments.- You can't configure ABE so that a newly created share is automatically ABE-enabled.- Finally, ABE adds a few percentage points processing overhead to the file server, and this must be taken into account in heavy-load situations."

Finally Solved

I want to thank you all for your input, i finally managed to work things around, it really was a big mess as stated by Kenone, i had to follow patb071@...??s suggestion and we are finally back in business just the way we want it.But i still have some questions: (1) When i go to the security properties of this folder and then advanced when i click on the owners tab i see these two names in the change owner to: box, there is the administrator who is the current owner and my name, how do i remove my name from this list and leave just the administrator in that list?

(2) puiu.chitu@... u spoke of ABE, i haven't yet tried it but it sounds like a good tool and a must have one, my question is: besides windows server 2003 R2 and SP1 can ABE run on XP SP3 just like we run Active Directory Users and Computers Snap-in? If so, please advice further.

Reponse To Answer

Administrator: I don't think you can remove that. Your account (with your name) is the administrator account. You would have to remove the account, and then you won't be able to do anything else. If you are the only person in the Administrators Group, you'd be pretty much screwed from then on.

Create a new discussion

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Post type

Subject title

Topic Tags

Select up to 3 tags (1 tag required)

Cloud

Piracy

Security

Apple

Microsoft

IT Employment

Google

Open Source

Mobility

Social Enterprise

Community

Smartphones

Operating Systems

Windows

Mac

Malware

Tablets

Networking

Browser

Hardware

Software

Web Developerment

Linux

Off Topic

Message Body

Track this discussion and email me when there are updates

Please note: Do not post advertisements, offensive material, profanity, or personal attacks. Please remember to be considerate of other members. If you're new to the TechRepublic Forums, please read our TechRepublic Forums FAQ. All submitted content is subject to our Terms Of Use.